Make sure remote ref does not change to different commit if
git repo changes in the middle of the build.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This is more flexible as from the user standpoint it might not
be easy to know if a version tag is annotated or not.
Downside of this change is that we can't create a cache key
automatically when checksum was set and no keep-git-dir as we
don't know which checksum is being used.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Pin of annotated tag should be tha SHA of tag, not
the commit it is pointing to.
Cache key of annotated tag should be SHA of the tag
if keep-git-dir is enabled and SHA of underlying
commit otherwise.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
If tag was already pulled by --tags or without refs/tags
that creates ambigous reference in the shared repository.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This fails in `gitSourceHandler` because it can't handle *both* SHA-1 and SHA-256 before Git 2.45 (see PR comments), and there's not a simple way to fix that without newer Git or larger refactoring.
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Because subdir filter happened before the submodule update it
resulted in empty directory being filtered and submodule update
being skipped because .gitmodules was already missing.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Convert usages of `github.com/docker/docker/pkg/idtools` to
`github.com/moby/sys/user` in order to break the dependency between
buildkit and docker.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
The current logic was incorrect in some places so that if first
session randomly chosen by `Any()` returned NotFound then other
sessions were not attempted.
For the main use case of mounting secrets as files the logic
was correct, but it was incorrect for example for the case of
adding secrets as environment variables.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The github.com/docker/docker/pkg/reexec package was moved to
a separate module; migrate to use that module instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes current issue when a Git commit is accessed
multiple times through different refs or ref is added
after commit has already been pulled once.
When keep-git-dir option is true, then program can
try to resolve the current reference via .git directory
and because old cache key was only the git commit, previous
.git directory can be reused without any refs inside.
There is no change to the behavior if keep-git-dir is
false as then requests through multiple refs yield to
identical content.
Only the reference in the user provided identifier is added
to the cache key, and that is the only one that can be
expected in .git because of the shallow fetches. We do not
do extra request to find named refs for a commit SHA if that is
provided in the identifier.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
We shouldn't use the cachemount root, we should actually properly
use the worker's specified root which is propagated from the config.
Signed-off-by: Justin Chadwell <me@jedevc.com>
On a build with no-cache, cache mounts were not pruned correctly
if the mount was on top of another ref. This also appeared in
Dockerfile when mode/uid/gid was set because implicit parent
ref is created in these cases in order to change the permissions
of a subdir that is used as a cache mount base.
Because it is not possible to know ahead of time what ref
will become the parent of cache mount during build, all cache
mounts matching the ID that have a parent will be pruned.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
appdefaults_unix.go, constants_unix.go:
/run is a thing only for Linux. Other Unixes use /var/run.
diffapply_linux.go and source_linux.go:
These files use Linux-only API.
Signed-off-by: Marat Radchenko <marat@slonopotamus.org>
On commit SHA input we currently do a full fetch of
remote so we can pick up the commit by SHA later. This
only pulls in tags that are also part of branches. Extra
flag is needed to also get the tags that are not part of
branches.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Previously, it was very possible for the CacheKey function to return a
sha key that was *not* the checked out commit.
There are two cases that I've encountered where this can happen:
- An annotated tag will have the pin of the tag, and not the underlying
commit, which will be HEAD after the checkout.
- If multiple tags have the same path component (e.g. "mytag" and
"abc/mytag") then the first alphabetical tag will be selected when (in
this case "abc/mytag").
To avoid this kind of case, we can't just search for a single match in
the results for ls-remote. There's no way to filter for just an exact
match, so we need to scan through the output ourselves. Additionally, we
need to dereference the annotated tags by also selecting refs ending in
"^{}" - which have the commit that the tag points at.
Finally, I've improved the test suite around this to check that:
- The cache-key pin is equivalent to the checked out commit
- We can check out non-master branches
- That full ref syntax like "refs/heads/<branch-name>" and
"refs/tags/<tag-name>" (or even "refs/<anything>") can be used.
Signed-off-by: Justin Chadwell <me@jedevc.com>
